Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Access Management / Identity Management

High Tech Security That Fits in A Wallet

July 1, 2011
/ Print / Reprints /
ShareMore
/ Text Size+
Woman using a smart card

Depending on how the card is used will determine the level of encryption needed. The more critical and sensitive the data are, the more encryption should be added to the smart card, making it harder for anyone to hack into the information the card holds. Adding a biometrics layer to the encryption will bump up the level of protection even further, making it almost impossible for someone else to get access to the card’s data.

The University of Arizona, like major research universities across the country, found that many of its grants and contracts were tied to higher levels of access security. Access to buildings with old-fashioned keys and locks or cards with magnetic strips swiped into pin pads didn’t provide the amount of security the University was looking for. So the school made the switch to smart cards.

“We use smart cards primarily for access control into high secure areas.  Either tap, tap and 4-digit pin, or tap and biometric fingerprint,” says Diane Tatterfield, Assistant Director, CatCard Services at the University of Arizona. “In anticipation of future applications, we have added an area for transit. We prefer read only so that changes can easily be made in a database vice having to re-card 75,000 active cardholders should a new application be implemented.” 

The University of Arizona is just one of a growing number of organizations and institutions moving to smart card use. ABI Research, which recently released the study Government and Healthcare Citizen ID Cards, estimates that 1.5 billion smart cards or credentials will be issued through 2014.

Smart cards, ABI Research says, have become essential tools for organizations to combat fraud and to create a better sense of security. The cards cover a wide range of uses – they can open doors; they can carry financial data; they can provide access into secure areas.

The way we think about smart cards and their role in security was driven with the events of September 11, 2001, Martin Janiak, president of Veridt, explains. He points to the moment he believes smart cards really took off as a risk management tool – when the nation’s ports began requiring transportation workers to have smart cards that needed background checks. Having the smart cards showed truckers and others who worked in transport had gone through a vetting process and could have direct access to ports.  Government entities began to incorporate smart card use, and over time the mandate for higher security has moved into the private sector.

Technology in smart cards has advanced considerably over the years, adding biometrics as an additional security level to help prevent fraud. Janiak says another level of security can be added with digital certificates. According to Janiak, today’s smart cards can be linked directly to an individual via biometrics, while the certificate verifies the card’s validity, making sure it hasn’t been revoked or compromised.

Smart cards help prevent fraud and reduce risk because they create a layered security environment. For example, a card is linked to an individual so that person can go through the front gate of a building. But once that card is read by the reader, it determines first if the individual is allowed access and then where else in the facility the individual will have access to. A card equipped with biometrics can ensure that this person truly is permitted access to restricted areas. Bottom line, with a layered approach, says Janiak, security management can invoke higher levels of clearance with relative ease and confidence that people entering certain areas are allowed to be there.

Biometrics provide important protection if the smart card is lost or stolen, since the biometric data stored can only belong to one person. But biometrics is not going to be the security solution for everyone, says Tatterfield.

“Being a research facility, we found that some people’s fingerprints are hard to read, or can’t be enrolled, because they deal with chemicals and their fingerprints are worn off,” she says. “In that case, readers have to be swapped out with pin pads.”

For as secure as the smart cards are, Tatterfield does have some concerns about using them on her campus. “As we saw with MiFare, it was hacked but in a controlled environment,” she says. (MiFare is the trademark of a series of chips used in contactless smart cards.) “With ‘compartments’ now going to ‘data streams,’ I feel more secure with the advanced cards; however, we constantly have to stay ahead of the bad guys.” Tatterfield adds that another concern for smart card use is the size of the University of Arizona. “With an institution of this size, sometimes it is very challenging to develop a migration path to the next level of security without having to re-card a mass amount of people. If you have the project management skill set, along with the subject matter experts, usually a good plan can be put in place providing the industry supports migration research and development.”

Woman holding a smart card

Smart cards, ABI Research says, have become essential tools for organizations to combat fraud and to create a better sense of security. The cards cover a wide range of uses – they can open doors; they can carry financial data; they can provide access into secure areas.

How to incorporate smart card security into an organization really depends on its overall security plan. Once a company understands the ground rules require for security operations, then it can move into deciding how to best incorporate a smart card into the business. Are the risks of unauthorized access high or low? If it is high, is turning to biometrics the best way to control who has access to an area? Does the company want to be able to verify that the person with access is who he says he is? Security risks are best mitigated if there is a solid security policy and plan in place before instituting new technology, according to Janiak.

Organizations also want to consider what kind of applications the smart cards are being used for and what information is being protected, explains Jennifer Toscano, marketing manager with Ingersoll Rand. Depending on how the card is used will determine the level of encryption needed. The more critical and sensitive the data are, the more encryption should be added to the smart card, making it harder for anyone to hack into the information the card holds. Adding a biometrics layer to the encryption will bump up the level of protection even further, Toscano adds, making it almost impossible for someone else to get access to the card’s data.

However, Shane Cunningham, marketing communications manager with Digital Identification Solutions, warns that when buying into smart card technology, it should be the newer technologies on the market, rather than older technologies, especially those like the earlier versions of Mifare, that has been hacked. The latest technologies, Cunningham points out, have better encryption.

While the point of using smart cards is to reduce security risks, smart cards come with their own inherent risks that need to be taken into consideration. One of the biggest smart card risks is loss or theft, says Andrew Peterson, senior manager with Kanematsu. Cards will have different levels of security. Take a college student ID, for example. Many students use their cards as a credit or debit card, and the only verification of its use is a signature, which may or may not be checked. On the other hand, a card with a biometric layer of security would require the user to provide, say, a fingerprint before access is permitted.

However, one of the fundamental features to the smart card system is each card holder is added to a database, with information to uniquely identify that individual. Within the database, the administrator can set permission levels. If the card is lost or stolen, and reported, the card number can be flagged. If it isn’t reported, access can be revoked because the person is using it to enter into an unauthorized area or tries to enter the building in the morning when the card only allows access in late afternoon and evening hours, for example.

Because buying smart cards can be a drain on the budget, some companies try to cut down on expenses by recycling or reissue old cards. This cuts down on the overall effectiveness of the card. What often happens, Cunningham explains, is an adhesive skin is attached to the card, and to the skin, personalization such as hologram lamination or UV printing is added. The problem is, the skin can be easily removed and replaced while the data on the card stays the same, meaning it would be simple for someone with a lower security access to co-op another person’s higher security card.

Even though smart cards have been around for years, the advances in technology have helped make the cards an easy and convenient fraud and risk management solution.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Sue Marquette Poremba

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.